[test] Crash on invalid intrinsic use unless --fuzzing is on

For example, when --fuzzing is off, %OptimizeFunctionOnNextCall now crashes when given a non-function argument. The following behaviors remain unchanged for now: - %DeoptimizeFunction continues to do nothing if the function is not optimized. - %DeoptimizeNow continues to do nothing if the top-most JS function is not optimized. - %OptimizeOSR continues to do nothing if the function already has optimized code. Bug: v8:10249 Change-Id: I35d2f3d50ce3f94c8ffccabe50fb4df2b70ce028 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137406 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#67121}

[test] Crash on invalid intrinsic use unless --fuzzing is on
For example, when --fuzzing is off, %OptimizeFunctionOnNextCall now crashes when given a non-function argument. The following behaviors remain unchanged for now: - %DeoptimizeFunction continues to do nothing if the function is not optimized. - %DeoptimizeNow continues to do nothing if the top-most JS function is not optimized. - %OptimizeOSR continues to do nothing if the function already has optimized code. Bug: v8:10249 Change-Id: I35d2f3d50ce3f94c8ffccabe50fb4df2b70ce028 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137406 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#67121}
aff70262 · Georg Neis · Commit Bot · 90140db6 · aff70262 · aff70262
Commit aff70262 authored Apr 14, 2020 by Georg Neis Committed by Commit Bot Apr 14, 2020
16 changed files
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -111,6 +111,11 @@ bool WasmInstanceOverride(const v8::FunctionCallbackInfo<v8::Value>& args) {
  return true;
 }
+V8_WARN_UNUSED_RESULT Object CrashUnlessFuzzing(Isolate* isolate) {
+  CHECK(FLAG_fuzzing);
+  return ReadOnlyRoots(isolate).undefined_value();
+}
 }  // namespace
 RUNTIME_FUNCTION(Runtime_ClearMegamorphicStubCache) {
@@ -163,18 +168,13 @@ RUNTIME_FUNCTION(Runtime_DeoptimizeFunction) {
  HandleScope scope(isolate);
  DCHECK_EQ(1, args.length());
-  // This function is used by fuzzers to get coverage in compiler.
-  // Ignore calls on non-function objects to avoid runtime errors.
  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
-  // If the function is not optimized, just return.
+  if (function->IsOptimized()) {
-  if (!function->IsOptimized()) return ReadOnlyRoots(isolate).undefined_value();
    Deoptimizer::DeoptimizeFunction(*function);
+  }
  return ReadOnlyRoots(isolate).undefined_value();
 }
@@ -188,12 +188,11 @@ RUNTIME_FUNCTION(Runtime_DeoptimizeNow) {
  // Find the JavaScript function on the top of the stack.
  JavaScriptFrameIterator it(isolate);
  if (!it.done()) function = handle(it.frame()->function(), isolate);
-  if (function.is_null()) return ReadOnlyRoots(isolate).undefined_value();
+  if (function.is_null()) return CrashUnlessFuzzing(isolate);
-  // If the function is not optimized, just return.
-  if (!function->IsOptimized()) return ReadOnlyRoots(isolate).undefined_value();
+  if (function->IsOptimized()) {
    Deoptimizer::DeoptimizeFunction(*function);
+  }
  return ReadOnlyRoots(isolate).undefined_value();
 }
@@ -238,24 +237,19 @@ RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {
 RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
  HandleScope scope(isolate);
-  // This function is used by fuzzers, ignore calls with bogus arguments count.
  if (args.length() != 1 && args.length() != 2) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
-  // This function is used by fuzzers to get coverage for optimizations
-  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
  // The following conditions were lifted (in part) from the DCHECK inside
  // JSFunction::MarkForOptimization().
  if (!function->shared().allows_lazy_compilation()) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
  // If function isn't compiled, compile it now.
@@ -263,18 +257,18 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
  if (!is_compiled_scope.is_compiled() &&
      !Compiler::Compile(function, Compiler::CLEAR_EXCEPTION,
                         &is_compiled_scope)) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
-  if (!FLAG_opt || (function->shared().optimization_disabled() &&
+  if (!FLAG_opt) return ReadOnlyRoots(isolate).undefined_value();
+  if (function->shared().optimization_disabled() &&
      function->shared().disable_optimization_reason() ==
-                        BailoutReason::kNeverOptimize)) {
+          BailoutReason::kNeverOptimize) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
-  if (function->shared().HasAsmWasmData()) {
+  if (function->shared().HasAsmWasmData()) return CrashUnlessFuzzing(isolate);
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  if (FLAG_testing_d8_test_runner) {
    PendingOptimizationTable::MarkedForOptimization(isolate, function);
@@ -290,11 +284,8 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
  ConcurrencyMode concurrency_mode = ConcurrencyMode::kNotConcurrent;
  if (args.length() == 2) {
-    // Ignore invalid inputs produced by fuzzers.
    CONVERT_ARG_HANDLE_CHECKED(Object, type, 1);
-    if (!type->IsString()) {
+    if (!type->IsString()) return CrashUnlessFuzzing(isolate);
-      return ReadOnlyRoots(isolate).undefined_value();
-    }
    if (Handle<String>::cast(type)->IsOneByteEqualTo(
            StaticCharVector("concurrent")) &&
        isolate->concurrent_recompilation_enabled()) {
@@ -355,9 +346,6 @@ bool EnsureFeedbackVector(Handle<JSFunction> function) {
 RUNTIME_FUNCTION(Runtime_EnsureFeedbackVectorForFunction) {
  HandleScope scope(isolate);
  DCHECK_EQ(1, args.length());
-  if (!args[0].IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
  EnsureFeedbackVector(function);
  return ReadOnlyRoots(isolate).undefined_value();
@@ -366,16 +354,13 @@ RUNTIME_FUNCTION(Runtime_EnsureFeedbackVectorForFunction) {
 RUNTIME_FUNCTION(Runtime_PrepareFunctionForOptimization) {
  HandleScope scope(isolate);
  DCHECK(args.length() == 1 || args.length() == 2);
-  if (!args[0].IsJSFunction()) {
+  if (!args[0].IsJSFunction()) return CrashUnlessFuzzing(isolate);
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
  bool allow_heuristic_optimization = false;
  if (args.length() == 2) {
    CONVERT_ARG_HANDLE_CHECKED(Object, sync_object, 1);
-    if (!sync_object->IsString())
+    if (!sync_object->IsString()) return CrashUnlessFuzzing(isolate);
-      return ReadOnlyRoots(isolate).undefined_value();
    Handle<String> sync = Handle<String>::cast(sync_object);
    if (sync->IsOneByteEqualTo(
            StaticCharVector("allow heuristic optimization"))) {
@@ -384,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_PrepareFunctionForOptimization) {
  }
  if (!EnsureFeedbackVector(function)) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
  // If optimization is disabled for the function, return without making it
@@ -392,13 +377,10 @@ RUNTIME_FUNCTION(Runtime_PrepareFunctionForOptimization) {
  if (function->shared().optimization_disabled() &&
      function->shared().disable_optimization_reason() ==
          BailoutReason::kNeverOptimize) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
-  // We don't optimize Asm/Wasm functions.
+  if (function->shared().HasAsmWasmData()) return CrashUnlessFuzzing(isolate);
-  if (function->shared().HasAsmWasmData()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  // Hold onto the bytecode array between marking and optimization to ensure
  // it's not flushed.
@@ -423,12 +405,14 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
  JavaScriptFrameIterator it(isolate);
  while (!it.done() && stack_depth--) it.Advance();
  if (!it.done()) function = handle(it.frame()->function(), isolate);
-  if (function.is_null()) return ReadOnlyRoots(isolate).undefined_value();
+  if (function.is_null()) return CrashUnlessFuzzing(isolate);
-  if (!FLAG_opt || (function->shared().optimization_disabled() &&
+  if (!FLAG_opt) return ReadOnlyRoots(isolate).undefined_value();
+  if (function->shared().optimization_disabled() &&
      function->shared().disable_optimization_reason() ==
-                        BailoutReason::kNeverOptimize)) {
+          BailoutReason::kNeverOptimize) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
  }
  if (FLAG_testing_d8_test_runner) {
@@ -470,12 +454,8 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
 RUNTIME_FUNCTION(Runtime_NeverOptimizeFunction) {
  HandleScope scope(isolate);
  DCHECK_EQ(1, args.length());
-  // This function is used by fuzzers to get coverage for optimizations
-  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
  function->shared().DisableOptimization(BailoutReason::kNeverOptimize);
  return ReadOnlyRoots(isolate).undefined_value();
@@ -500,21 +480,16 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
    status |= static_cast<int>(OptimizationStatus::kMaybeDeopted);
  }
-  // This function is used by fuzzers to get coverage for optimizations
-  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
+  if (function_object->IsUndefined()) return Smi::FromInt(status);
-    return Smi::FromInt(status);
+  CHECK(function_object->IsJSFunction());
-  }
  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
  status |= static_cast<int>(OptimizationStatus::kIsFunction);
  bool sync_with_compiler_thread = true;
  if (args.length() == 2) {
-    CONVERT_ARG_HANDLE_CHECKED(Object, sync_object, 1);
+    CONVERT_ARG_HANDLE_CHECKED(String, sync, 1);
-    if (!sync_object->IsString())
-      return ReadOnlyRoots(isolate).undefined_value();
-    Handle<String> sync = Handle<String>::cast(sync_object);
    if (sync->IsOneByteEqualTo(StaticCharVector("no sync"))) {
      sync_with_compiler_thread = false;
    }
@@ -575,10 +550,9 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
 RUNTIME_FUNCTION(Runtime_UnblockConcurrentRecompilation) {
  DCHECK_EQ(0, args.length());
-  if (FLAG_block_concurrent_recompilation &&
+  CHECK(FLAG_block_concurrent_recompilation);
-      isolate->concurrent_recompilation_enabled()) {
+  CHECK(isolate->concurrent_recompilation_enabled());
  isolate->optimizing_compile_dispatcher()->Unblock();
-  }
  return ReadOnlyRoots(isolate).undefined_value();
 }
@@ -590,14 +564,11 @@ RUNTIME_FUNCTION(Runtime_GetUndetectable) {
  HandleScope scope(isolate);
  DCHECK_EQ(0, args.length());
  v8::Isolate* v8_isolate = reinterpret_cast<v8::Isolate*>(isolate);
  Local<v8::ObjectTemplate> desc = v8::ObjectTemplate::New(v8_isolate);
  desc->MarkAsUndetectable();
  desc->SetCallAsFunctionHandler(ReturnThis);
-  Local<v8::Object> obj;
+  Local<v8::Object> obj =
-  if (!desc->NewInstance(v8_isolate->GetCurrentContext()).ToLocal(&obj)) {
+      desc->NewInstance(v8_isolate->GetCurrentContext()).ToLocalChecked();
-    return Object();
-  }
  return *Utils::OpenHandle(*obj);
 }
@@ -630,9 +601,6 @@ RUNTIME_FUNCTION(Runtime_GetCallable) {
 RUNTIME_FUNCTION(Runtime_ClearFunctionFeedback) {
  HandleScope scope(isolate);
  DCHECK_EQ(1, args.length());
-  if (!args[0].IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
  CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
  function->ClearTypeFeedbackInfo();
  return ReadOnlyRoots(isolate).undefined_value();
@@ -816,9 +784,7 @@ RUNTIME_FUNCTION(Runtime_DebugTrackRetainingPath) {
  HandleScope scope(isolate);
  DCHECK_LE(1, args.length());
  DCHECK_GE(2, args.length());
-  if (!FLAG_track_retaining_path) {
+  CHECK(FLAG_track_retaining_path);
-    PrintF("DebugTrackRetainingPath requires --track-retaining-path flag.\n");
-  } else {
  CONVERT_ARG_HANDLE_CHECKED(HeapObject, object, 0);
  RetainingPathOption option = RetainingPathOption::kDefault;
  if (args.length() == 2) {
@@ -826,14 +792,11 @@ RUNTIME_FUNCTION(Runtime_DebugTrackRetainingPath) {
    const char track_ephemeron_path[] = "track-ephemeron-path";
    if (str->IsOneByteEqualTo(StaticCharVector(track_ephemeron_path))) {
      option = RetainingPathOption::kTrackEphemeronPath;
-      } else if (str->length() != 0) {
+    } else {
-        PrintF("Unexpected second argument of DebugTrackRetainingPath.\n");
+      CHECK_EQ(str->length(), 0);
-        PrintF("Expected an empty string or '%s', got '%s'.\n",
-               track_ephemeron_path, str->ToCString().get());
    }
  }
  isolate->heap()->AddRetainingPathTarget(object, option);
-  }
  return ReadOnlyRoots(isolate).undefined_value();
 }
@@ -919,10 +882,8 @@ RUNTIME_FUNCTION(Runtime_DisassembleFunction) {
  // Get the function and make sure it is compiled.
  CONVERT_ARG_HANDLE_CHECKED(JSFunction, func, 0);
  IsCompiledScope is_compiled_scope;
-  if (!func->is_compiled() &&
+  CHECK(func->is_compiled() ||
-      !Compiler::Compile(func, Compiler::KEEP_EXCEPTION, &is_compiled_scope)) {
+        Compiler::Compile(func, Compiler::KEEP_EXCEPTION, &is_compiled_scope));
-    return ReadOnlyRoots(isolate).exception();
-  }
  StdoutStream os;
  func->code().Print(os);
  os << std::endl;
@@ -1001,7 +962,6 @@ RUNTIME_FUNCTION(Runtime_IsAsmWasmCode) {
  DCHECK_EQ(1, args.length());
  CONVERT_ARG_CHECKED(JSFunction, function, 0);
  if (!function.shared().HasAsmWasmData()) {
-    // Doesn't have wasm data.
    return ReadOnlyRoots(isolate).false_value();
  }
  if (function.shared().HasBuiltinId() &&
@@ -1080,13 +1040,12 @@ RUNTIME_FUNCTION(Runtime_GetWasmExceptionId) {
  CONVERT_ARG_HANDLE_CHECKED(WasmInstanceObject, instance, 1);
  Handle<Object> tag =
      WasmExceptionPackage::GetExceptionTag(isolate, exception);
-  if (tag->IsWasmExceptionTag()) {
+  CHECK(tag->IsWasmExceptionTag());
  Handle<FixedArray> exceptions_table(instance->exceptions_table(), isolate);
  for (int index = 0; index < exceptions_table->length(); ++index) {
    if (exceptions_table->get(index) == *tag) return Smi::FromInt(index);
  }
-  }
+  UNREACHABLE();
-  return ReadOnlyRoots(isolate).undefined_value();
 }
 RUNTIME_FUNCTION(Runtime_GetWasmExceptionValues) {
@@ -1102,7 +1061,6 @@ RUNTIME_FUNCTION(Runtime_GetWasmExceptionValues) {
 namespace {
 bool EnableWasmThreads(v8::Local<v8::Context> context) { return true; }
 bool DisableWasmThreads(v8::Local<v8::Context> context) { return false; }
 }  // namespace
@@ -1226,8 +1184,7 @@ RUNTIME_FUNCTION(Runtime_SerializeWasmModule) {
    return *array_buffer;
  }
-  // Error. Return undefined.
+  UNREACHABLE();
-  return ReadOnlyRoots(isolate).undefined_value();
 }
 // Take an array buffer and attempt to reconstruct a compiled wasm module.

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -24433,8 +24433,6 @@ TEST(TurboAsmDisablesDetach) {
      "}"
      "var buffer = new ArrayBuffer(4096);"
      "var module = Module(this, {}, buffer);"
-      "%PrepareFunctionForOptimization(module.load);"
-      "%OptimizeFunctionOnNextCall(module.load);"
      "module.load();"
      "buffer";
@@ -24450,8 +24448,6 @@ TEST(TurboAsmDisablesDetach) {
      "}"
      "var buffer = new ArrayBuffer(4096);"
      "var module = Module(this, {}, buffer);"
-      "%PrepareFunctionForOptimization(module.store);"
-      "%OptimizeFunctionOnNextCall(module.store);"
      "module.store();"
      "buffer";

--- a/test/inspector/debugger/asm-js-breakpoint-before-exec-expected.txt
+++ b/test/inspector/debugger/asm-js-breakpoint-before-exec-expected.txt
@@ -5,7 +5,7 @@ Running test: enableDebugger
 Running test: addScript
 Script nr 1 parsed!
 First script; assuming testFunction.
-Flooding script with breakpoints for the lines 3 to 21...
+Flooding script with breakpoints for the lines 3 to 19...
 Setting breakpoint on line 3
 error: undefined
 Setting breakpoint on line 4
@@ -38,36 +38,26 @@ Setting breakpoint on line 17
 error: undefined
 Setting breakpoint on line 18
 error: undefined
-Setting breakpoint on line 19
-error: undefined
-Setting breakpoint on line 20
-error: undefined
 Running test: runTestFunction
 Script nr 2 parsed!
 Paused #1
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":17,"columnNumber":2}
+  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":17,"columnNumber":12}
  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Paused #2
  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Paused #3
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":19,"columnNumber":12}
-  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
-Paused #4
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
-  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
-Paused #5
  - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":14,"columnNumber":4}
  - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
  - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
  - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
-Paused #6
+Paused #4
  - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":15,"columnNumber":2}
  - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
  - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
  - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Running test: finished

--- a/test/inspector/debugger/asm-js-breakpoint-before-exec.js
+++ b/test/inspector/debugger/asm-js-breakpoint-before-exec.js
@@ -25,8 +25,6 @@ function testFunction() {
    debugger;
  }
-  %PrepareFunctionForOptimization(generateAsmJs);
-  %OptimizeFunctionOnNextCall(generateAsmJs);
  var fun = generateAsmJs(this, {'call_debugger': call_debugger}, undefined);
  fun();
 }

--- a/test/inspector/debugger/asm-js-breakpoint-during-exec-expected.txt
+++ b/test/inspector/debugger/asm-js-breakpoint-during-exec-expected.txt
@@ -11,10 +11,10 @@ Paused #1
  - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":14,"columnNumber":4}
  - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
  - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
  - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 First time paused, setting breakpoints!
-Flooding script with breakpoints for all lines (0 - 24)...
+Flooding script with breakpoints for all lines (0 - 22)...
 Setting breakpoint on line 0
 error: undefined
 Setting breakpoint on line 1
@@ -59,27 +59,23 @@ Setting breakpoint on line 20
 error: undefined
 Setting breakpoint on line 21
 error: undefined
-Setting breakpoint on line 22
-error: undefined
-Setting breakpoint on line 23
-error: undefined
 Script nr 3 parsed!
 Resuming...
 Paused #2
  - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":15,"columnNumber":2}
  - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
  - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
  - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Script nr 4 parsed!
 Resuming...
 Paused #3
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":22,"columnNumber":17}
+  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":17}
  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Script nr 5 parsed!
 Resuming...
 Paused #4
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":23,"columnNumber":2}
+  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":21,"columnNumber":2}
  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Script nr 6 parsed!
 Resuming...

--- a/test/inspector/debugger/asm-js-breakpoint-during-exec.js
+++ b/test/inspector/debugger/asm-js-breakpoint-during-exec.js
@@ -25,8 +25,6 @@ function testFunction() {
    debugger;
  }
-  %PrepareFunctionForOptimization(generateAsmJs);
-  %OptimizeFunctionOnNextCall(generateAsmJs);
  var fun = generateAsmJs(this, {'call_debugger': call_debugger}, undefined);
  fun();

--- a/test/mjsunit/asm/load-elimination.js
+++ b/test/mjsunit/asm/load-elimination.js
@@ -23,5 +23,3 @@ var foo = (function(stdlib, foreign, heap) {
 assertEquals(0x1234, foo());
 assertEquals(0x1234, foo());
-%OptimizeFunctionOnNextCall(foo);
-assertEquals(0x1234, foo());
--- a/test/mjsunit/compiler/osr-infinite.js
+++ b/test/mjsunit/compiler/osr-infinite.js
@@ -11,7 +11,6 @@ function thrower() {
  if (x == 5)  %OptimizeOsr(1);
  if (x == 10) throw "terminate";
 }
-%PrepareFunctionForOptimization(thrower);
 %NeverOptimizeFunction(thrower);  // Don't want to inline the thrower.
 %NeverOptimizeFunction(test);     // Don't want to inline the func into test.

--- a/test/mjsunit/es6/regress/regress-411237.js
+++ b/test/mjsunit/es6/regress/regress-411237.js
-// Copyright 2014 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-// Flags: --allow-natives-syntax
-%PrepareFunctionForOptimization(print);
-try {
-  %OptimizeFunctionOnNextCall(print);
-} catch(e) { }
-try {
-  function* f() {
-  }
-  %PrepareFunctionForOptimization(f);
-  %OptimizeFunctionOnNextCall(f);
-} catch(e) { }
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -1137,6 +1137,7 @@
  # interrupt_budget overrides don't work with TurboProp.
  'interrupt-budget-override': [SKIP],
+  'never-optimize': [SKIP],
 }],  # variant == turboprop
 ##############################################################################

--- a/test/mjsunit/never-optimize.js
+++ b/test/mjsunit/never-optimize.js
@@ -25,38 +25,23 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax --opt --no-always-opt
+// Flags: --allow-natives-syntax --opt --no-always-opt --no-use-osr
+// Flags: --interrupt-budget=1024
-function o1() {
+function o1() { }
-}
 %PrepareFunctionForOptimization(o1);
 o1(); o1();
 %OptimizeFunctionOnNextCall(o1);
 o1();
-// Check that the given function was optimized.
 assertOptimized(o1);
 // Test the %NeverOptimizeFunction runtime call.
+function u1(i) { return i+1 }
+function u2(i) { return i+1 }
 %NeverOptimizeFunction(u1);
-function u1() {
+for (let i = 0; i < 1000; ++i) {
-}
-function u2() {
  u1();
+  u2();
 }
-%PrepareFunctionForOptimization(u1);
-%PrepareFunctionForOptimization(u2);
-u1(); u1();
-u2(); u2();
-%OptimizeFunctionOnNextCall(u1);
-%OptimizeFunctionOnNextCall(u2);
-u1(); u1();
-u2(); u2();
 assertUnoptimized(u1);
 assertOptimized(u2);
--- a/test/mjsunit/regress/regress-1365.js
+++ b/test/mjsunit/regress/regress-1365.js
@@ -43,7 +43,6 @@ assertEquals(Object.prototype, Object.prototype.valueOf());
 assertThrows(callGlobalValueOf);
 assertThrows(callGlobalHasOwnProperty);
-%OptimizeFunctionOnNextCall(Object.prototype.valueOf);
 Object.prototype.valueOf();
 assertEquals(Object.prototype, Object.prototype.valueOf());

--- a/test/mjsunit/regress/regress-347542.js
+++ b/test/mjsunit/regress/regress-347542.js
-// Copyright 2014 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-// Flags: --allow-natives-syntax
-function foo() {};
-%PrepareFunctionForOptimization(foo);
-foo();
-%OptimizeFunctionOnNextCall(foo);
-foo();
-%NeverOptimizeFunction(foo);
--- a/test/mjsunit/regress/regress-447756.js
+++ b/test/mjsunit/regress/regress-447756.js
@@ -42,7 +42,8 @@ function TestOptimizedCode() {
  assertSame(Infinity, 1 / a1.byteOffset);
 }
-%OptimizeFunctionOnNextCall(Uint8Array);
+%PrepareFunctionForOptimization(TestOptimizedCode);
-for (var i = 0; i < 1000; i++) {
+TestOptimizedCode();
-  TestOptimizedCode();
+TestOptimizedCode();
-}
+%OptimizeFunctionOnNextCall(TestOptimizedCode);
+TestOptimizedCode();
--- a/test/mjsunit/regress/regress-491481.js
+++ b/test/mjsunit/regress/regress-491481.js
-// Copyright 2015 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-// Flags: --allow-natives-syntax
-try {
-%OptimizeFunctionOnNextCall(print);
-try {
-  __f_16();
-} catch(e) { print(e); }
-try {
-  __f_10();
-} catch(e) {; }
-} catch(e) {}
--- a/test/mjsunit/regress/regress-crbug-754177.js
+++ b/test/mjsunit/regress/regress-crbug-754177.js
@@ -2,11 +2,14 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-// Flags: --allow-natives-syntax
+// Flags: --allow-natives-syntax  --fuzzing
-// Do not crash on non-JSFunction input.
+// Do not crash on non-JSFunction input when fuzzing.
 %NeverOptimizeFunction(undefined);
 %NeverOptimizeFunction(true);
 %NeverOptimizeFunction(1);
 %NeverOptimizeFunction({});
 assertThrows("%NeverOptimizeFunction()", SyntaxError);
+%PrepareFunctionForOptimization(print);
+%OptimizeFunctionOnNextCall(print);